Purging Old NT Security Protocols

Hi folks, Ned here again (with some friends). Everyone knows that Kerberos is Microsoft’s preeminent security protocol and that NTLM is both inefficient and, in some iterations, not strong enough to avoid concerted attack. NTLM V2 using complex passwords stands up well to common hash cracking tools like Cain and Abel, Ophcrack, or John the… Read more

RPC over IT/Pro

Hi folks, Ned here again to talk about one of the most commonly used – and least understood – network protocols in Windows: Remote Procedure Call. Understanding RPC is a foundation for any successful IT Professional. It’s integral to distributed systems like Active Directory, Exchange, SQL, and System Center. The administrator who has never run… Read more

Windows 8 for the IT Pro: The New Plumbing

Hi folks, Ned coming to you from the secret underground redoubt, where the cable is out, the wife is at grad school, and the dogs are napping as autumn finally reaches North Carolina. I’m not a fan of blog posts that only aggregate links and don’t offer original thought. Today I make an exception, as… Read more

Active Directory Site Topology, Not Just for DCs

Mark here again. Following a recent experience in the field (yes, Premier Field Engineers leave the office), I thought it’d be useful to discuss Active Directory Topology and how it influences DFS Namespace and DFS Folder referrals. Let’s look at the following environment for the purposes of our discussion Let’s suppose that the desired referral… Read more

Friday Mail Sack: Unintended Hilarity Edition

Hiya folks, Ned here again with another week’s questions, comments, and oddities. This time we’re talking: GPMC inconsistent permissions error ADMT multiple servers DFSR staging calculation performance USMT and MAX_PATH DFSR port 5722 on members Common AD support topics Other things Let’s get it. Question When we change security on our group policies using GPMC,… Read more

Kerberos and Load Balancing

Hi guys, Joji Oshima here again. Today I want to talk about configuring Kerberos authentication to work in a load-balanced environment. This is a more advanced topic that requires a basic understanding of how Kerberos works. If you want an overview of Kerberos, I would suggest Rob’s excellent post, Kerberos for the Busy Admin. In… Read more

Friday Mail Sack: Beard-Seconds Edition

Hiya folks, Ned here again. This week we talk: DC DNS A Records and Web Servers Forwarding Security event log subscriptions Domain password filters Auditing NTLM vs NTLMv2 on Win2003 Programmatically determining if UNC is DFS namespace DFSR and Excel Shared Workbooks DFS, DC, Delegation, and Domain Admins Other nonsense Start the word punching! Question… Read more

Troubleshooting SID translation failures from the obvious to the not so obvious

Hi guys, Joji Oshima here with my first post. A common problem we see is SID translation failure. The problem usually occurs when you add users or groups from a trusted domain into your domain local groups. What you hope to see is the friendly names of the users, and their domain: Unfortunately, you only… Read more

Friday Mail Sack: Peevish Nediquette Edition

Hi folks, Ned here again. This week I talk about Vista’s hidden AD schema, SYSVOL migration mission control, kick-starting cached logon performance, USMT c’est la vie, foul-mouthed NetBIOS, DFSR do-over, and the usual random goo. What to do with a Version 39 (Vista Beta) AD Schema When to migrate SYSVOL – Win2008 or Win2008 R2… Read more

I’ll take NDES in the DMZ, for 1000 Alex

Hello. Jim here yet again to talk to you about deploying Windows Server 2008 R2 with the Network Device Enrollment Services (NDES) role in a secure perimeter network. Let’s consider the scenario. You have an internal PKI hierarchy consisting of an Offline Root Certificate Authority (CA), a policy CA, and an issuing CA. You want… Read more